Organizations Identify Top Cyber Threats in Response to SEC Guidelines, But Report Suggests Many Firms May be
Overlooking Critical Exposures

NEW YORK, June 10, 2013 – A majority of the U.S. listed Fortune 500 firms are following
the U.S. Securities and Exchange Guidelines by providing some level of disclosure regarding cyber exposures, with
more than half indicating their firms would face “serious harm” or be “adversely impacted” due to
a cyber-attack, according to a recent report by Willis North America, a unit of Willis Group
Holdings (NYSE: WSH), a leading global risk advisor, insurance and reinsurance broker.

The Willis Fortune 500 Cyber Disclosure Report, 2013, published today, are the results of an
effort launched last year to track organizations’ response to SEC Guidance issued in October 2011, asking
U.S. listed companies to provide extensive disclosure on their cyber exposures.

The report found that 88% of the Fortune 500 are following SEC Guidelines as of April 2013
and providing “some level” of disclosure regarding cyber exposures. However, some companies within particular industries that
would seem to have exposures, were silent, Willis said. Among those silent were: an insurance company,
a pharmaceutical company, a restaurant chain and a health care firm – “all of which would
seem to have some level of cyber risk when compared to the disclosures of their peers,”
the report said.

The top three cyber risks identified by the Fortune 500 include:

Loss of theft of confidential information (65%)

Loss of reputation (50%)

Direct loss from malicious acts (hackers, virus)
(48% )

Commenting on the survey, Chris Keegan, Senior Vice President, National Resource E&O and e-risk, Willis North America
and co-author of the report, said “Many of the results are not surprising as we know
firms are actively taking steps to assess and mitigate their cyber risk, even if they have
not been able to quantify a dollar amount associated with the risk.”

“However, we also see some surprising results which suggests some firms may be overlooking critical exposures,” Keegan
said. “For example, only one out of five firms mention cyber-terror (20%) as a factor, despite
the heightened emphasis on cyber-terror by the U.S. government. In addition, only one out of ten
firms detailed cyber threats caused by the acts of outsourced vendors. This runs contrary to what
we see in our day to day practice given the high frequency of cyber events stemming
from outsourced vendors,” he said.

When it comes to protection against cyber risk, only 6% of companies mentioned that they purchased insurance
to cover cyber risks “even though recent market surveys are showing significantly higher take up rates
for cyber insurance among public companies,” Keegan said. Meanwhile 52% of firms referred to technical solutions
they have in place, but a significant number (15%) also indicated they do not have the
resources to protect themselves against critical attacks, the report said.

Ann Longmore, Executive Vice President, FINEX, Willis North America and co-author of the report cautions about the
other potential impacts of cyber risk, particularly on Directors and Officers Liability. “D&O liability risk may
be heightened for companies that experience cyber breaches if cyber risk disclosures are deemed not to
meet SEC standards and a significant loss were to occur. This may be especially true if
peers have provided more detailed disclosure,” she said.

About Willis Willis Group Holdings plc is a leading global risk advisor, insurance and reinsurance broker. With
roots dating to 1828, Willis operates today on every continent with more than 17,000 employees in
over 400 offices. Willis offers its clients superior expertise, teamwork, innovation and market-leading products and professional
services in risk management and transfer. Our experts rank among the world’s leading authorities on analytics,
modelling and mitigation strategies at the intersection of global commerce and extreme events. Find more information
at our website, www.willis.com, our leadership journal, Resilience, or our
up-to-the-minute blog on breaking news, WillisWire. Across geographies, industries and specialisms, Willis provides its
local and multinational clients with resilience for a risky world.